Human Rights Committee: Article 8 Privacy and digital
Is your personal data safe? Session 2: collection and storage
Weds 15.15, Committee Room 4A
Watch live here
The cost of collecting personal data gets lower every year, as new sources of data increase. How is data is gathered about users? To what extent are they aware of the range of ways this is done? Is lawfully collected data always stored in compliance with the applicable laws and regulations?
In this session, the Human Rights Committee will look at data protection and storage, with:
- Professor Victoria Nash, Deputy Director. Associate Professor and Senior Policy Fellow, Oxford Internet Institute
- Dr Reuben Binns, Postdoc researcher, Department of Computer Science, University of Oxford
- Alexander Hazell, Head of UK Legal and Data Protection Officer and Jed Mole, VP Marketing, Axciom.
- Madhumita Murgia, European Technology Correspondent, FT.
Victoria Nash’s recent projects have included an analysis of age verification policies as a tool for balancing the interests of children and adults online, and a review of the risks and harms faced by children online. She is currently concluding a research project examining the concept of the ‘algorithmic child’ and the data risks posed to children by connected toys and the Internet of Things.
Dr Reuben Binns recently led on a study which looked at the extent to which android apps are set up to share data back to Google – and found that most apps contain third party tracking and that nearly 90 per cent of android apps are set up to transfer information back to Google, which enables the construction of detailed profiles about individuals.
Alex Hazell has 15 years’ experience as a commercial technology and privacy lawyer and advises on all aspects technology contract law, data protection law, intellectual property law, employment law, corporate law and commercial litigation. Jed Mole regularly writes about data driven marketing and data protection issues.
In her TEDX talk, How data brokers stole my identity (16 min), Madhumita Murgia explores the far reaching consequences which data collection and sharing can have on people’s lives beyond just targeted advertising – especially when these practices extend to banks and insurance companies.
The main areas for discussion on Weds include:
- Purpose: how does data collection and storage help users? Can it be used to strengthen individual human rights?
- Methods: how much is collected directly and how much bought from third parties – and on what legal basis?
- Consumer awareness: how do companies ensure that users know what is being done with their data – including that collected from baby monitors, toy dolls and voice controlled TVs?
- Principles of data protection: how to ensure that data profiling is lawful and proportionate?
- Security: how to protect against breaches – especially cloud storage?
Key concerns raised in written evidence:
The Information Commissioner’s Office describes how data collection has become so widespread:
One common business model, which allows companies to offer ‘free services’ in exchange for personal data, is predicated on the need to collect ever increasing amounts of personal information and to keep users engaged with technology as long as possible – what is often called the ‘attention economy’.
The organisations which are most successful in this can then consolidate their position, and increase their market share in a ‘winner takes most’ approach. This leads to the desire to acquire smaller market players resulting in further aggregation of data. The situation becomes one where large companies control enormous amounts of data on individuals.
Slowly the business model has moved from the collection of data to improve services/products toward an accumulation of data for other commercial purposes, most notably targeted advertising and personalisation of content. The role of data has evolved over the course of the digital revolution and individuals may not have noticed the gradual erosion of control or ownership of their data as time has gone on…8
And the risks of data aggregation practices leading to detailed profiles of individuals:
The ICO’s submission explains that “this is the process where separate distinct portions of personal data are collected in return for a series of services, and then unbeknownst to the data subject are aggregated to form a much more complete picture of the data subject than might be reasonably anticipated.
As we enter the era of ‘the internet of things’ increasing number of aspects of people’s lives will yield data including, for example, GPS systems in cars and on phones, online search histories, credit/debit card purchases, social media communications, and cookies on websites; combined they paint a sophisticated picture of an individual data subject.
Aggregation is also an issue where smaller individual tech firms are purchased by larger ones, along with the data they hold. The ownership structure is often not clear to users. Adtech is a good example of where this can happen. The two large players in this sphere, Facebook and Google, have acquired smaller businesses with the incumbent data sets and different channels through which to collect more personal data in the future. Where consent for use of that data has been given by individuals at different times and to different entities the flow of data can be opaque.”
- Lack of awareness/explicit consent about how the data is used/shared: data can be collected by one business and then sold or transferred to another, often through data brokers. “A data subject may consent to the collection and processing of their data in return for a service from one business without reasonably expecting it to be transferred to another. The use of data brokers, by businesses, to buy and sell data is an increasing prominent element in the risks to privacy in this sphere.”10
- Loss of privacy: as more and more devices become connected to the internet, there are concerns that this has great implications for both privacy and cybersecurity. Written evidence from Horizon Digital Economy Research Institute at the University of Nottingham state”…the Internet of Things is likely to become one of the largest problem areas for cybersecurity and for privacy. Far too often security and privacy concerns are given too low a priority in the design process, resulting in easily hackable IoT devices. Particularly concerning are the examples, including connected baby monitors, voice-controlled TVs and toy dolls (e.g. Hello Barbie), that continuously stream very personal video and audio information to data centres, often outside of the jurisdiction of the UK (and EU) data controllers. A worrying result in this space are the finding of a U. Michigan study which showed that people who buy “Smart Speakers” (e.g. Alexa, Google Now devices) expect and worry that the devices will collect data from private conversations but have resigned themselves to the idea that “big brother” type intrusions on their privacy have become inevitable.11
Human Rights Committee Members
|Ms Harriet Harman (Chair)||Labour|
|Lord Brabazon of Tara||Conservative|
|Ms Karen Buck||Labour|
|Joanna Cherry||Scottish National Party|
|Baroness Ludford||Liberal Democrat|
|Baroness Massey of Darwen||Labour|
|Lord Morris of Handsworth||Labour|
|Lord Singh of Wimbledon||Crossbench|
Watch committees and parliamentary debates online: www.parliamentlive.tv